While some bad actors target high-profile organisations for political or egotistical reasons, the majority of cyber-attacks are driven by good, old-fashioned greed. And the unfortunate truth is that black hat hacking is a highly lucrative, albeit highly skilled, “profession”. From a hacker’s point of view, the not insignificant cost of a data breach comes with few overheads and represents a very attractive income. Small wonder, therefore, that organisations’ defensive measures should be constantly tuned and reinforced.
To an attacker whose automated scripts and malicious code see only IP addresses on the internet, every industry with any online presence is equally at risk. But the retail industry in the UK and Ireland is particularly sensitive to the effects of a successful attack and is more susceptible. Consider the following four factors:
- The seasonal nature of retail means that business throughput can be concentrated at specific times (Christmas, Ramadan, Halloween, Rosh Hashanah, Diwali and so on). It’s more difficult to detect and respond to malicious activity during these times when systems and people are under maximum load.
- Brick and mortar stores are subject to particular online threats that take advantage of their location on the network edge.
Retailers’ supply chains are long, complex, and subject to variation as business strategies change. Their scale and complexity add significantly to the attack surface presented to bad actors. - Brand damage is particularly bad news for large retailers that trade in multiple areas. A besmirched reputation in consumer-packaged goods (CPG), for example, can significantly impact all other sectors where the retailer has a presence (like food and beverage, for example), despite those two trading operations being quite separate from one another. Negative social media and news coverage sticks to the brand and spreads quickly, with a highly undesirable impact on sales that can last months, if not years.
- There are further factors that affect retailers, but not ones that are unique to the sector. Difficult economic conditions mean failed direct debit and card payments, plus more attempts at fraudulent activity. Around these incidents, there are specific communications between consumers and retailers, and it’s easier, therefore, for an attacker to insert themselves into a situation via spoof messaging or phishing emails.
Humans are always the weakest link in any cyber defensive strategy, so technologies like SASE (secure access service at the edge) can help validate not only each user but each device as they interact with systems right across a distributed network of supply chain, brick and mortar stores’ systems, ecommerce facilities and so on. This type of proactive defensive system will also encompass and protect hardware that’s common in retail, like OT (operational technology) devices in warehouses and distribution systems, ePOS (electronic point of sale) and connectivity between edge installations (or “shops” as we might like to call them) and the rest of the business.
Many retailers have had to ramp up their online activities over the last few years, both because of the advent of large digital and logistical retail operators but also because of the rise in preference for online buying since 2019. The speed of a digitisation journey is not necessarily a red flag for cybersecurity, but the nature of any retailer often is. Older, established retail business systems not only involve technical debt in the form of legacy technology but systems that were designed to operate inside a protected perimeter. With the safe assumption that any company’s perimeter will be compromised at some stage, a new cybersecurity approach may be called for.
On a recent episode of the Tech Means Business podcast, Prabhu Ramaiah (Director and Head of Retail for Wipro UK) said, “[moving online] puts them [retailers] in a very difficult position because they were not born in the digital world. They were born in a world [of] legacy technology. Then they get more and more exposed as they go into the digital world. So, it’s very, very important that they have the right measures and the right technologies to protect them from these elaborate attacks, which could happen to them at any point in time.”
At the other end of the technology spectrum, digital-first retailers are not immune from risk. For example, adopting multi-cloud computing and storage strategies widens the attack surface presented to bad actors. Retailers hold highly valuable data for attackers that’s not limited to payment card details, for example. Personal information, including shopping preferences, location data and other personally identifiable data trades well in the darker corners of the web. Regardless of a company’s IT posture, it’s apparent why retail is a sector that offers fast gains for malicious actors.
Whether it’s penetration testing, anti-phishing education, SASE or an overhauled, cybersecurity-first IT procurement policy, many retailers are partnering with specialists to advise and accompany them to a safer future. Partnering with third parties in IT need not replace internal IT staff but supplement existing skills. Cybersecurity specialists – at least experienced and well-qualified specialists – are thin on the ground at present and those that are available command huge salaries. Drawing on deep experience and a broad range of cybersecurity skills and toolsets, third-party multiple service providers (like Wipro) can help retailers meet their transformational objectives – and do it with safety baked into every solution. Ambitious companies need not be deterred by the fear of cyber threats; they just need to recognise that the sector has particular challenges that can be addressed with the right application of expertise and technology muscle.
To learn more about Wipro’s cybersecurity work in retail and CPG, click here.